Coherent pulse implementations of quantum cryptography protocols resistant to 

photon number splitting attacks 
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A new class of quantum cryptography (QC) protocols that are robust against the most gen- 
eral photon number splitting attacks in a weak coherent pulse implementation has been recently 
proposed. In this article we give a quite exhaustive analysis of several eavesdropping attacks on 
these schemes. The eavesdropper (Eve) is supposed to have unlimited technological power while the 
honest parties (Alice and Bob) use present day technology, in particular an attenuated laser as an 
approximation of a single-photon source. They exploit the nonorthogonality of quantum states for 
decreasing the information accessible to Eve in the multi-photon pulses accidentally produced by 
the imperfect source. An implementation of some of these protocols using present day technology 
allow for a secure key distribution up to distances of ~ 150 km. We also show that strong-pulse 
implementations, where a strong pulse is included as a reference, allow for key distribution robust 
against photon number splitting attacks. 



I. INTRODUCTION 

Quantum cryptography, or more precisely, quantum 
key distribution (QKD) followed by the one-time pad, is 
the only secure way of transmitting secret information 
(see [1] for a review). Its security is not based on some 
mathematical assumptions, such as a limited eavesdrop- 
per's computational power, but on the laws of Quantum 
Mechanics. Because of the Heisenberg's uncertainty prin- 
ciple, a measurement on a quantum system modifies the 
system itself. Thus, Eve's measurement on a quantum 
state carrying sender's information produces a change on 
the state that can be noticed by Alice and Bob. The se- 
curity of QKD schemes can also be understood in terms 
of the no-cloning theorem [2] . Eve cannot make and keep 
a perfect copy of the quantum state carrying the infor- 
mation from Alice to Bob [3]. 

Most of the known QKD protocols use two-dimensional 
quantum states, called qubits, as information carriers, al- 
though there exist alternative proposals using higher di- 
mensional systems, either finite [4] or infinite [5]. The 
information encoding can be performed by means of any 
two-dimensional quantum state, but very often this is 
done using photons that are sent through an optical fiber, 
the quantum channel. Therefore, Alice, must be able to 
prepare and send single photons to Bob. The existence 
of single-photon sources is then an implicit and crucial 
requirement for many of the proposed implementation of 
the existent schemes. Since there are no practical single- 
photon sources available, Alice generally uses a weak co- 
herent pulse, |/ue ), with mean photon number /i <C 1, as 
an approximation of the single-photon pulse. Moreover, 
since there is no phase reference outside Alice's lab, the 
effective state used for the information encoding is 
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with the number n of photons distributed according to 



a Poisson statistics of mean fi, p(n,fi) = e~^(i n /n\ [6,7]. 
Thus, instead of the ideal one-photon Fock state, Alice 
produces a zero-photon state with probability p(0,/i), a 
one-photon state with probability p(l, fx) and so on. 

Intuitively, the presence of pulses with more than one 
photon may deteriorate the security of the protocol, since 
a perfect copy of the quantum state is then produced by 
the imperfect single-photon source. Indeed, it was shown 
in [7,8] that the presence of these multi-photon pulses 
makes the best-known QKD protocol, the BB84 scheme 
[9], insecure if the losses in the channel become impor- 
tant. Eve can then perform the so-called photon number 
splitting (PNS) attack that allows her to get full infor- 
mation without being detected. This limits the distance 
up to which BB84 with weak coherent pulses and lossy 
optical fibers can be securely implemented. For typical 
experimental parameters this critical distance, d c , is of 
the order of 50 km. As we will show below, similar con- 
clusions are valid for weak pulse implementations of other 
QKD schemes, such as the B92 [10] and the 4+2 protocol 
[11]. 

Recently, new quantum cryptography protocols have 
been proposed that are more robust against PNS attacks 
[12]. The scope of the present article is to give a detailed 
security analysis of these protocols under different eaves- 
dropping scenarios. In the next section we review the 
PNS attack for the BB84 scheme, and we show how the 
same results and conclusions also apply for the B92 and 
4+2 protocols. Then, we discuss QKD implementations 
including a strong reference pulse as a first possibility for 
minimizing the importance of PNS attacks. Moreover, 
the results of section II give us some insight into the re- 
quirements needed for a QKD protocol to be resistant 
to PNS attacks in a weak pulse implementations. The 
family of investigated protocols is presented in section 
III. We will focus on a particular one, that differs from 
BB84 only in the classical sifting procedure for extracting 
the key. We will consider various possible attacks, some 
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which do not introduce errors, some which use cloning 
machines (which do introduce some errors), and some 
which arc the combination of both. We briefly discuss 
the experimental data of [13] in the light of our results, 
as an example of a QKD implementation secure against 
PNS attacks. At the end, we also explore possible gener- 
alizations. The last section summarizes the main results. 

Let us end the introduction with four important re- 
marks about our results. First, in order to make a fair 
comparison between all the analyzed protocols, we take 
as a reference the BB84 scheme using /i = 0.1, i.e. for all 
the protocols the raw rate at very large distances must be 
the same as in this reference scheme. Second, we do not 
consider advantage distillation protocols for secret-key 
distillation (sec for instance [14]). Therefore, a protocol 
is said secure if and only if the information Alice-Bob is 
greater than Eve's information. Indeed, it was shown in 
[15] that secret-key distillation is possible using one-way 
privacy amplification whenever 

Iab > mm(I AE , I BE ). (2) 

Third, although Eve is supposed to have unlimited tech- 
nological power, we assume that she is not able to ma- 
nipulate Bob's detector (contrary to what is done in Ref. 
[8]). This is a crucial point for our analysis [16]. In- 
deed, let us suppose that Eve can modify the detector 
efficiency, rjdet, in such a way that it is equal to one for 
those instances where she has got the full information 
(her attack is successful). If we take j^et =0.1, our re- 
sults should be modified (see for instance Eq. (4)) by a 
factor of ten, which means a factor of 10 dB, or equiva- 
lently of 40 km, in all our curves. And four, we do not 
take into account coherent attacks, where Eve interacts 
with more than one pulse [17]. 

II. THE PNS ATTACK 

Any experimental realization using photons of a QKD 
protocol with two-dimensional quantum states must ide- 
ally be performed with a single-photon source. Unfortu- 
nately, this is a very strong requirement with present day 
technology, and one has to design a way of experimen- 
tally approximating the single-photon source. In spite 
of the fact that QKD has proven to be unconditionally 
secure (see for instance [18]), this may not be the case 
any longer if the technology of the honest parties is not 
perfect. 

In most of the existent implementations, the one- 
photon pulse is approximated by a weak coherent pulse 
\^e ld ). As said above, and since there is no absolute 
phase reference, the state seen by Bob and Eve is given 
by Eq. (1), an incoherent mixture of multi- photon states 
with Poisson probabilities. Eve can then perform a pho- 
ton number non-demolition measurement, keep one of the 



photons when a multi-photon state is found, and forward 
the rest to Bob. Note that Eve's action is not detected by 
Bob if he is assumed to have only access to the average 
detection rate, and not to the statistics of the photons he 
receives. We also assume that Eve is able to control the 
losses on the line connecting Alice and Bob (or equiva- 
lently she can send photons to Bob by a lossless line). In 
this situation, Eve can perform the so-called PNS attack 
that, as we show below, limits the security of many of 
the known existing protocols. 

A. The BB84 protocol 

In the BB84 protocol [9], Alice chooses at random be- 
tween two mutually unbiased bases, in which she encodes 
a classical bit. Denoting by | ± x) (| ± y)) the eigenvec- 
tors of a x {(J y ) with eigenvalue ±1, she can encode a 
logical into either | + x) or | + y) and a 1 into cither 
| — x) or | — y). She sends the qubit to Bob, who mea- 
sures at random in the x or y basis. Then, they compare 
the basis and when they coincide, the bit is accepted. In 
this way, half of the symbols are rejected, and, in the 
absence of perturbations, they end with a shared secret 
key. In practical situations, and due to the presence of 
errors and possibly a spy, some error correction and pri- 
vacy amplification techniques have to be applied, in order 
to extract a shorter completely secure key. 

Now, let us see how Eve can take advantage of the 
multi-photon pulses. Alice sends a pulse with /i <C 1 
coding the classical bit (say on light polarization). Eve 
performs the photon number measurement and when two 
or more photons are detected, she takes one and forward 
the rest to Bob by her lossless line. Eve stores the pho- 
ton in a quantum memory and waits until the basis rec- 
onciliation. Once the basis is announced, she has only 
to distinguish between two orthogonal states, which can 
be done deterministically. Thus, for all the multi-photon 
pulses Eve obtains all the information about the sent bit. 
If Alice and Bob are in principle connected by a lossy line, 
Eve can block some of the single-photon pulses, and for- 
ward the multi-photon pulses, on which she can obtain 
the whole information, by her lossless line. In this way, 
Alice and Bob do not notice any change in the expected 
raw rate, and Eve remains undetected. When the losses 
are such that Eve can block all the single-photon pulses, 
the protocol ceases to be secure. 

Denote by a the losses in dB per km on the line. The 
expected raw rate at Bob's side is giving by 

RBob = M 10~ 5 / 10 [photons/pulse], (3) 

where 6 = ad is the total attenuation in dB of the quan- 
tum channel of length d. Eve will apply the PNS attack 
on a fraction 1 — q of the pulses. Since she does not want 
to be detected, the raw rate must not change, i.e. she 
has to choose q in such a way that 
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(4) 



where i?BB84 = J2^=2P n ( n ~ 1) I-^]- Eve's information is 
zero when she does nothing, and one for the PNS attack, 
i.e. denoting by S B B84 = 1^=2 P™' 



leve(q) 



(1 — q)SsB84 
q+{l- q)S B BBi' 



(5) 



If the losses are such that q can be zero in Eq. (4) (all 
the one-photon pulses can be blocked), Eve gets all the 
information, without being detected. The critical atten- 
uation, <5 C , is then given by the condition Rbbsa = RBob- 
In figure 1 we show the variation of I eve as a function of d 
for (i = 0.1 and a = 0.25dB/km [20]. The critical atten- 
uation in this case is 5 C = 13 dB, and the corresponding 
distance d c = 52 km. Two important points have to be 
stressed here. First, we do not claim the optimality of 
the PNS strategies we consider in this section from the 
point of view of Eve's information for losses lower than 
S c . Indeed, when the losses begin to be relevant, it is 
more convenient for Eve to perform the PNS attack on 
all the multi-photon pulses and block some of the single- 
photon pulses. One can see that this slightly increase 
I eve , but does not change the critical distance, as defined 
in this article. Second, alternative and more conservative 
definitions of the critical distance can be proposed. For 
simplicity, we consider no perturbations in the absence 
of Eve, i.e. the information Alice-Bob, Iab, is one. But 
in realistic situations and due to the presence of errors 
(for instance due to detector and optical noise) this is not 
true, and the critical distance corresponds to the point 
where I eve = Iab- If the error rate is important, this 
distance may be smaller than the one indicated here. In 
any case, for channel attenuations greater than S c , the 
implementation of the BB84 protocol using weak coher- 
ent pulses is not secure. 

One may wonder whether this attack is only possible 
because the information is encoded on light polarization. 
However the same reasoning is also valid for other encod- 
ings such as, for instance, in the time-bin scheme (see [1]). 
There the information is transmitted using the relative 
phase between two weak coherent pulses that are sent 
through the fiber. In principle, the state leaving Alice's 
side is \(j)) = \/j,e i0 ) |^e 4 V*) where <f> = 0,tt (</> = ±tt/2) 
correspond to ±x (±y). But since there is no phase ref- 
erence, the effective state seen by Eve and Bob is 
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where p(n, 2\x) are Poisson probabilities of mean photon 
number 2/j, and 



\<Pn{4>)) = 




e™*\n-m)\m). (7) 



Note that Bob's state is given by an expression like (6) 
multiplying the mean photon number by the channel at- 
tenuation. It is possible to define a creation and annihi- 
lation operator 



a\4>) = 
a{4>) = 



V2 ' 



(8) 



such that acting on the two-mode vacuum state gives 
<jt(0)|O, 0) = \<pi((f>)}. It is straightforward to see that 



\Vn{4>)) = 



(at(#)« 



nl 



0,0), 



(9) 



[at, a] = 1 and (ip n > (<p)\ ip n {<j))) — 5„ >n /. Thus, the situa- 
tion is the same as in the previous polarization encoding 
scheme [7] . Eve can count the total number of photons in 
the two (now temporal) modes, in an analogous way as in 
the previous photon number measurement for polariza- 
tion, without being noticed by Bob. When "more than 
one" photons are detected, i.e. she projects into \<f2), 
she stores one copy of the state in her quantum memory 
until the basis reconciliation. Obviously, the equations 
and critical values in this case are the same as the ones 
found above for the polarization encoding scheme. 




Distance (km) 

FIG. 1. Eve's information as a function of the distance for 
the PNS attacks described in the text. 



B. The B92 protocol 

An alternative QKD scheme is given by the B92 pro- 
tocol [10]. The classical bit is simply encoded by Al- 
ice using two non-orthogonal states, |^o) an d IV'i) with 
(V'olV'i) 7^ 0- Without loosing generality we will take [21] 
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with < r\ < ir/2 and the overlap is |(V'o|'0i)| = cos 77. 

Bob has to distinguish between two non-orthogonal 
quantum states, and this can only be done with some 
probability. The measurement optimizing this probabil- 
ity is defined by the following positive operators, sum- 
ming up to one [22], 
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1 + cos 77 
1 



n = 
III = 

1 + cos 77 

n ? = 1 - n - Hi 



(11) 



where \ip ± } denotes the state orthogonal to \ip). When 
Bob's measurement outcome is the one associated to H;, 
with i — 0,1, he knows that the state was The 
probability of obtaining an inconclusive result is equal 
to the overlap between the states, p? = (-00 |n? I V'o) = 
(-01 1 n? I ipi ) = cos 77. Thus, Alice and Bob will accept the 
sent bit only for those cases where Bob's measurement 
gives a conclusive result. The probability of acceptance 
is Pok = 1 — cos 77, while for the BB84 this probability is 
equal to one half. Eve's PNS attack is described in the 
following lines. 

In a weak pulse encoding scheme, this protocol is 
clearly insecure. What Eve can simply do is to perform 
the same unambiguous measurement as Bob. When a 
conclusive result is found, she knows the state and she 
prepares a copy of it on Bob's side. When Eve is not able 
to determine the state, she blocks the pulse. Of course, 
as soon as we have some losses in the channel Alice and 
Bob cannot detect the eavesdropping (since they assume 
that the absence of signal is due to the losses), and the 
protocol is insecure. Note that no quantum memory and 
lossless line is needed by Eve in this case. 



C. The 4+2 protocol 

A third QKD protocol was proposed in [11] combining 
some of the ideas of the B92 and BB84 schemes. As in 
the BB84 protocol, there are four states grouped into two 
sets {|0 a ), |l a )}, {|0 fc ), |l h )}. However, as in the B92, the 
states in each set are not orthogonal, their overlaps being 
|(0 a |lo)| = I (Oh I lb) I = cos 77. The situation is depicted in 
figure 2, the four states lie on the same parallel of the 
Bloch sphere. Thus, Alice chooses randomly in which 
of the two sets the bit is encoded. Bob performs at ran- 
dom one of the two POVMs distinguishing the two states 
of each set. After basis reconciliation, they determine all 
the cases where Bob has applied the correct measurement 
obtaining a conclusive result. At first sight, this protocol 
seems more resistant against PNS attacks: compared to 



the BB84 case, Eve can keep some of the photons but 
her measurement after the basis reconciliation may not 
be conclusive. And compared to the B92 case, she does 
not know which of the two measurements has to be ap- 
plied. However, and due to the particular geometry of 
the sets of states, this scheme does not offer any advan- 
tage over the two previous ones. But before describing 
Eve's attack, let us show how the three-outcome POVM 
described by (11) can be interpreted as the concatenation 
of two two-outcome measurements. 





z 








/OA 






/ j y 



FIG. 2. Set of states needed for the 4+2 protocol. 

The effect of any quantum measurement can be repre- 
sented by a set of operators {Ai} satisfying J^i AiA\ — 1. 
If the initial state is p, the probability for any outcome, 
say i, is 



Pl = tx(AipAl), 
and the state is transformed into 



-A iP A\. 



(12) 



(13) 



Consider the states (10). The POVM described by the 
operators (11) can be effectively replaced by a sequence 
of two two-outcome measurements. First, one applies a 
measurement described by the operators 



A ok = 



1 



i/l + cos 77 



(1+^(^1 + 1-^(^1) 



A? = — A ok A 



(14) 



The effect of this first measurement is the following: with 
probability p k = 1 — cos 77 the state \ipo) (|t/>i)) is mapped 
into I + x) (| — x)). This operation is often called a fil- 
tering, and it is equivalent to the cases where the POVM 
(11) gives a conclusive result. When the outcome ok 
has been obtained, it is said that the states have passed 
the filter. If this is the standard von Neumann 

measurement on the x basis suffices for discriminating 
between the two states. 

Let us come back to the 4+2 protocol and consider the 
filter for the states in set a, sending these state into the 
x basis. It is not difficult to see that the same filter maps 
the states in set b into | ±7/). Therefore, a BB84-like 
situation is recovered! 
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It is now easy to design a PNS attack. First, Eve 
counts the number of photons. Similar to the B92 case, 
she applies the filtering two-outcome measurement when 
a multi-photon pulse is obtained. When the result is 
conclusive, she keeps the resulting photon in a quantum 
memory and forwards the rest of photons to Bob. Then, 
as in the BB84 case, she waits for the basis reconcilia- 
tion, and performs the right von Neumann measurement 
allowing her to read the bit. In order to make a fair 
comparison, we always impose the same key rate in the 
absence of Eve as in BB84 using /x = 0.1. In this case 
this means that we must have 

M-BB84 = ^4+2(1 - COS 77). (15) 

In a similar way as above for the BB84 case, one can 
compute Eve's information for this attack. It almost co- 
incides with the one found for the BB84 protocol, and 
the critical distance is again 5 C = 52 km (see figure 1). 
Indeed, the critical distance turns out to be quite inde- 
pendent of the degree of non-orthogonality between the 
states in the 4+2 protocol, if one imposes the equality of 
the raw rates (15). 

The analysis of the 4+2 protocol ends the present sec- 
tion. All the studied QKD schemes do not guarantee a 
secure key distillation when the channel attenuation is 
around 15 dB. Unfortunately, the use of non-orthogonal 
states has not been enough for avoiding Eve's attacks. 
The critical distance basically corresponds to the point 
where the raw rate on Bob's side can be simulated by the 
number of multi-photon pulses leaving Alice's lab. 

D. Strong pulse implementations 

The three protocols analyzed in the previous sections 
are not robust against PNS attacks in a weak coherent 
pulse implementation. Eve exploits the presence of multi- 
photon pulses and the losses on the line. Indeed, at the 
critical distance the losses are such that she can block 
the pulse without being noticed when her attack has not 
succeeded. A possible way of avoiding this problem is to 
send also a strong reference pulse that must always be de- 
tected on Bob's side, as in the original B92 proposal [10]. 
In this way, Eve cannot block the pulses without intro- 
ducing errors. From the implementation point of view, a 
new detector should be added, checking the presence of 
the strong pulse. In the following lines we consider these 
implementations from the point of view of PNS attacks. 
We mainly concentrate on the B92 protocol although, as 
we will see, the same conclusions are valid for the other 
schemes. 

The information encoding uses the relative phase be- 
tween a weak coherent pulse with respect to a strong ref- 
erence pulse that is sent later through the line. Thus, Al- 
ice prepares a weak coherent pulse and a strong pulse sent 



as a reference, \<j>) — e )|/xe e*^), where // 3> /i and 
<j> = 0, 7r encodes the classical bit. For a BB84 scheme, 
<j> = 0, 7r for one of the basis and <p — ±tt/2 for the other. 
Note that the BB84 implementation with a strong pulse 
is indeed the 4+2 scheme [11]. Let us come back to the 
simplest B92 and denote by t the ratio between the two 
intensities t = fif/j,' <C 1. The overlap between the two 
non-orthogonal states is |(0|7r)| = e~ 2/i , so \x < 1. Bob 
delays the weak pulse and makes it interfere with a frac- 
tion t of the strong pulse. Constructive and destructive 
interference correspond to the values and it. The prob- 
ability of inconclusive result is p? = e~ 2 ^ as expected 
(see [23] for a practical implementation of this measure- 
ment), and the transmission rate for small \i is ~ 2[i [11]. 
The detection of the 1 — t < 1 fraction of the strong 
reference pulse by Bob should allow him to detect Eve's 
intervention, i.e. none of the pulses can be blocked. Note 
that this forces the strong pulse mean photon number to 
be significant at Bob's side. However, Eve can always 
take advantage of the multi-photon pulses for acquiring 
partial information. 

Since as usual there is no global phase reference avail- 
able, the effective state leaving Alice's lab is 

p= I ^\m\ = Y,p^ n ^ + ^)\^))^n{<i>% (i6) 

J n n 

where p(n, fj, + //) are Poisson probabilities and 

Wn{4>)) = iLj(Z) (IT^ 6 ^ " m)|m) - 

In a similar way as above, one can define 

at(0) = -^=(at + >/te i M) 

a(4>) = — == (ai + , (18) 

such that acting on the two-mode vacuum state gives 
at(0)|O, 0) = \(pi((j))). Again, we have 

| Vn (0)) = LWL| O ,o) ) (19) 

Vii! 

[a\a] — 1 and (ip n > (<fi)\ip n ((f>)) — 5„ in >. Eve can perform 
a non-demolition measurement for these number states 
without being detected by Bob. Indeed, his state is the 
same as in Eq. (16), just taking into account the channel 
attenuation. 

Denote the channel losses by 5. Since // 3> fi, Eve's 
Poisson distribution is centered around /x' while Bob's 
around /x'10~' 5 / 10 . Moreover the strong pulse must be al- 
ways detected by Bob, so we will impose ^i'10 -5 / 10 = 10 
(at least), which means that p! = lo( 1+s / 10 \ In order 
to make a fair comparison with the BB84 scheme using 
(i = 0.1, we take the same raw rate in the absence of Eve 
at the critical distance, which leads to 
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M-BB84 



= 2/X 



(20) 



and then 1x392 = 0.025, i.e. |(0|tt)| = 0.95, and t = 
10 _(2+5/io) 1^ 

Now, Eve performs the measurement in the \tp n ) basis. 
Since her Poisson probability is centered around //, she 
obtains a pulse containing (on average) \j! photons. On 
Bob's side a pulse with ten photons is expected, so Eve 
keeps |<yV-io) and forwards |<£io) to Bob by her lossless 
line. Eve's intervention remains unnoticed to Bob. Eve 
is now faced with the problem of detecting two states 
having an overlap 



|(¥V-ioMIW-io(0))| = 



1-t 
T+t 



-10 



1 - 1 
T+t 



(21) 



She applies the measurement maximizing her information 
[24], obtaining 



I Eve =I(Pe), 



(22) 



where I(p) = 1 + log 2 p + (1 — p) log 2 (l —p) is the binary 
mutual information (in bits) and p e is the error proba- 
bility, 



Pe = \ (l - v/l-|(^'-loWI^'-lo(0))| 2 ) • 



(23) 



It is not hard to compute the limit for Eve's information. 
For very large distances, fi' — > 00 and then 



|(^WI^'(0))|= Hm 



1 - m/V 

1 + n/n' 



= e~ 2 », 



(24) 



i.e. the initial overlap gives the searched limit and 
Ievc ~ 0.07 bits. Thus, for any distance, the protocol is 
clearly secure against PNS attacks. The same is valid for 
the strong pulse realization of the BB84 protocol, which, 
as said, is the 4+2 scheme. 

Note that strong pulse implementations appear as an 
intermediate step in the transition from discrete to con- 
tinuous variables QKD schemes using coherent states [5] . 
There, a strong reference pulse, with very large mean 
photon number //, is sent through the channel with a 
weaker pulse, containing about hundred photons. The 
security comes from the fact that although // is not weak, 
an infinite range of values is used for the information en- 
coding (while, for example, we have only two in the B92 
case) and Eve is not able to discriminate the sent state. 
However, many of the results presented in this section can 
be translated to these protocols, opening the possibility 
of new eavesdropping attacks [25]. 

Before ending this section let us stress an important 
point about strong pulse QKD implementations that was 
somehow hidden in the previous discussion. It is impor- 
tant to guarantee a reasonable photon number for the 



strong pulse on Bob's side, i.e. the condition //lO - " 5 / 10 ~ 
10 must be always satisfied. Therefore, \x' increases with 
the distance up to which the key should be established. 
Note that 11 is just fixed by the desired overlap between 
the two states used in the B92 scheme, independently of 
the distance. In the previous lines we took a quite conser- 
vative value, coming from Eq. (20). We can indeed con- 
sider 11 = 1/4, which gives |(0|7r)| = 0.6 and lEve ~ 0.5. 
This forces ll' and the ratio t to increase with the dis- 
tance, which can lead to problems in the interferometric 
arrangement needed for detection. For instance for a dis- 
tance of 80 km, that taking as usual a = 0.25 means 20 
dB, we have \x' = 10 3 and t = 10~ 4 /4. However if these 
requirements are met, a secure implementation becomes 
possible with a key generation rate significantly larger 
than for the BB84 scheme using /i = 0.1. 

For the rest of the article however, we will not consider 
this type of scenario and we will deal only with imple- 
mentations using weak coherent pulses. 



III. QKD PROTOCOLS RESISTANT TO PNS 
ATTACKS 



The aim of the present section is to give QKD protocols 
resistant to the PNS attack in a weak pulse implemen- 
tation. From the previous discussion we can understand 
some of the basic requirement for these schemes. We 
have seen above that the apparent robustness of the 4+2 
protocol was not true due to the existence of a quantum 
operation (measurement), represented by (14), that al- 
lows Eve to make pairwise orthogonal the states in the 
sets a and b. After successfully performing this opera- 
tion, she can wait for the basis reconciliation, as in the 
BB84 case, and read the information by a von Neumann 
measurement. Therefore, what Alice needs is a configura- 
tion of sets of states in which to encode her information 
such that there does not exist any quantum operation 
increasing, even with some probability and at the same 
time, the overlap of the states in each set. This is what 
a protocol needs to be resistant to the PNS attack. 

A simple configuration achieving this property is the 
same as in the 4+2, but with one of the two set of states 
reflected with respect to the xy plane (see figure 2). But, 
even simpler, one can restrict oneself to any plane in the 
Bloch sphere, as in the BB84 case. This situation is de- 
picted in figure 3. The general expression for these states 
is 
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After successfully application of the filter that makes or- 
thogonal the states in set a, the overlap between the 
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states in set b has significantly increased. Indeed, it is 
not difficult to see that if the outcome of a quantum op- 
eration, say A,-, makes orthogonal the states of set a, for 
the same outcome the states in set b are less orthogonal 
(see appendix A). So, now Eve has to consider two dif- 
ferent filters, F a and Ft,, that make the states in set a 
and set b orthogonal, respectively. If she wants to get 
the whole information about the bit sent by Alice, she 
has to block all the pulses with less than three photons. 
When the pulse contains three photons, she applies F a to 
the first one, Ff, to the second one, and only when both 
of them are conclusive, she forwards the third photon to 
Bob. It is clear that the distance where Eve can perform 
this attack without being detected is much larger than 
above. It basically corresponds to the point where the 
raw rate is equal to the number of pulses on Alice's side 
with more than two photons. There, Eve can simulate 
the expected raw rate using only these pulses. 
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FIG. 3. States configuration for a QKD protocol robust to 
PNS attacks. 

Using this idea, we can design different state configu- 
rations. One of them turns out to be equivalent, at the 
quantum level, to the BB84 scheme. The states and the 
measurements are the same as in this protocol, the only 
difference being in the reconciliation process. But, sur- 
prisingly, this variation makes the protocol significantly 
more resistant to PNS attacks. The remaining of this 
section will be devoted to the detailed security analysis 
of this protocol. 



chooses randomly between | ± x) and sends the state, 
say | + x), to Bob. Bob measures randomly in the x or 
y basis. After this, Alice starts the reconciliation pro- 
cess announcing the sent state and one of the two pos- 
sible states encoding one, for instance {| + x), | + y)}. If 
Bob's measurement was in the x basis, the result was +1 
(remember that the sent state was | + x) ) and he can- 
not discriminate between the two alternatives. If Bob 
measured in the y basis, for half of the cases the result 
was +1 and for the rest -1. In the first case, he cannot 
discriminate either, but in the latter, he knows for sure 
that the sent bit was not \ + y), and accepts the sent bit. 
At first sight this is just a simple, and not very useful, 
modification of the BB84 protocol. However with these 
variations the obtained protocol is much more resistant 
to Eve's attacks. 

Eve is faced with the following problem: after Alice's 
announcement she will have to deal with one of four pos- 
sible sets of two states, 



si = {+x, +y} s 2 = {+y, -x) 
s 3 = {-x,-y} s 4 = {-y,+x}. 



(26) 



Eve can unambiguously determine the sent state with 
some probability for all the pulses of at least three pho- 
tons. Indeed she measures in the x and y basis the 
two first photons, which allows her to discard two of the 
possibilities. Then, she applies to the third photon the 
measurement discriminating between the two remaining 
states. This intuitively shows that this scheme is more ro- 
bust against PNS attacks, since only three-photon pulses 
provide her with the full information. In the next lines 
we will extend these ideas in a more precise way, show- 
ing that the distance for a secure implementation of this 
protocol is approximately twice the one for the standard 
BB84. First we deal with attacks exploiting the pres- 
ence of multi-photon pulses without introducing errors 
on Bob's side. Then we move to cloning-based attacks, 
where some error is allowed, and finally we analyze the 
combined action of these two eavesdropping strategies. 



A. Four-state protocol 

The configuration of states in figure 3 allows Alice and 
Bob to exchange a key in a secure way for larger distance 
than for many of the existing protocols. In the case in 
which the angle between the states in each set is ir/2 
we recover a BB84-like state configuration. Neverthe- 
less, note that Alice's bit encoding has radically changed 
(see figure 3), since orthogonal states encode the same 
classical bit. 

Suppose as in the standard BB84 that Alice uses as 
information carriers the eigenvectors of a x and a v . Now, 
the bit is encoded into | ± x) and 1 into | ± y) . Con- 
sider the case in which Alice's bit is equal to zero. She 



B. PNS attacks 

The first type of attacks we consider are of the same 
type as the PNS attack for the BB84. Eve uses the multi- 
photon pulses for acquiring information. However, her 
attack cannot be noticed by the honest parties because 
of their limited technological powers, i.e. she must not 
introduce errors on Bob's side. 

As shown above, Eve can determine unambiguously 
the state sent by Alice when the pulse contains more 
than three photons. This is indeed a general result: un- 
ambiguous discrimination between N states of a two- 
dimensional Hilbert space is only possible when at least 
N — 1 copies of the state are available [26]. In this 
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case, the N states fyi)®^ ^ belong to the symmet- 
ric subspace of (C )®( JV_1 ) of dimension N. Since the 
N states are always linearly independent (see appendix 
B), unambiguous discrimination is possible. Above we 
have described a sequence of measurements allowing un- 
ambiguous discrimination between three copies of the 
four states | ± x) , | ± y) . The probability of success is 
given by the third measurement that discriminates be- 
tween two quantum states having an overlap of 1/V2, 
i.e. p k = 1 — 1/V2 ~ 0.3. However, better strategies 
should be expected if one acts globally on the three copies 
of the unknown state. For instance, one can use the nat- 
ural generalization of the POVM described by Eqs. (11). 
For any i = ±x, ±y one can define € (® 2 )fy m as the 
state orthogonal to the three vectors \ipj}® 3 , with j 7^ i. 
Then, the searched measurement is given by the five pos- 
itive operators summing up to the identity of (C )fy m , 
denoted by t 3tSym , 

n 7 = l3 iaW m-5^IIi. (27) 

i 

The probability of having an inconclusive result is, where 

\i&) = \if 3 , 

p? = {i( 3 )|n ? |i< 3 )> = I . (28) 

Indeed, this measurement is optimal if we impose that 
the probability of conclusive result has to be the same 
for the four possibilities to be distinguished. From [27] 
we know that the maximal probability of unambiguous 
discrimination is equal to the reciprocal of the maximum 
eigenvalue of the operator 

\ E (I^X^I), (29) 

i— ±x.±y 

which gives p k = 1/2 [28] . 

Eve's first strategy will consist of counting the number 
of photons on each pulse and block those with less than 
three photons. When at least three photons are detected, 
she performs the previous measurements and blocks all 
the instances where an inconclusive result is obtained. 
When she is able to determine the state, she can prepare 
a new copy of it for Bob. Again, if the channel losses are 
small, she must apply this strategy on a fraction of the 
pulses. The corresponding equations are quite similar to 
the ones seen above, and the critical distance corresponds 
to the point where 

oc 
n— 3 

Eve's information is shown in figure 4, and the critical 
distance turns out to be of approximately 100 km. Note 



that we take fi = 0.2, in order to make a fair comparison 
with BB84 using ^ = 0.1. 

It is evident that for small distances, this strategy is 
quite inefficient from Eve's point of view. Indeed, for 
those instances it is better for her to apply a different 
PNS attack, that we call storing attack: all single-photon 
pulses are blocked, while for all the multi-photon pulses, 
she keeps one photon in a quantum memory until the 
set reconciliation. Then, she has to distinguish between 
two non-orthogonal quantum states, say | + x) and | + z). 
She will apply the measurement maximizing her infor- 
mation obtaining (see Eq. 22)) I eve ~ 0.4 and where the 
error probability is 

p e = \ (l - ^l-\(+x\ + zW) ~ 0.14. (31) 

Storing attacks are particularly dangerous as soon as 
there are errors in the transmission. If this is the case, 
the information Iab is smaller than one and indeed, it 
may be smaller than Eve's information (see section IV 
for a more careful analysis). In a similar way to that de- 
scribed above, depending on the channel losses, Eve can 
interpolate between these two attacks. The correspond- 
ing information curves are shown in figure 4. 




20 40 60 80 100 120 



Distance (km) 

FIG. 4. The figure shows different eavesdropping attacks 
that take advantage of the presence of multi-photon pulses 
for the new four-state protocol. The dashed line represents 
the attack where all pulses with less than three photons are 
blocked. Eve can however interpolates between different at- 
tacks as described in the text, depending on the channel 
losses. The solid line is Eve's information for this second 
possibility. 



The presence of multi-photon pulses represents a se- 
rious drawback, since Eve can take advantage of them 
for acquiring information on the sent bit. Since we do 
not consider advantage distillation protocols, the honest 
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parties can extract a key when Eq. (2) is satisfied. This 
means that the secret bit rate generation, after error cor- 
rection and privacy amplification, is 

Rkey — ^-RBob(l — ^Eve), (32) 

where Rsob is the raw rate of Eq. (3). The 1/4 term 
takes into account the set reconciliation process (Bob has 
to choose the right measurement and obtain the right 
outcome) , and the last term comes from the privacy am- 
plification protocol. Note that we assume for simplicity 
no errors between Alice and Bob, Iab = 1- 

There is in principle an obvious way of avoiding the 
influence of multi-photon pulses: to decrease the pulse 
mean photon number. Nevertheless, this solution may 
be very inefficient, since the raw rate, Rsob, is approxi- 
mately proportional to /i. Therefore, there is a compro- 
mise from the point of view of key generation. Using the 
same techniques as for figure 4, for any 5 one can com- 
pute the optimal fi maximizing Rkey ■ The corresponding 
curve is shown in figure 5. Note that mean photon num- 
bers of the order of 0.2 are indeed optimal for losses ~ 20 
dB. 
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FIG. 5. The figure shows the mean photon number maxi- 
mizing the key rate generation, Eq. (32), as a function of the 
distance. For small distances one cannot take [i arbitrarily 
large, since the four states would become almost orthogonal 
and Eve could do an intercept-resend attack without being 
detected. For large distances, /i cannot be arbitrarily small, 
since the signal becomes negligible with respect to dark counts 
and the channel is completely noisy, Iab ~ 0. 



C. Individual attacks using cloning machines 

All the eavesdropping strategies studied up to now take 
advantage of the fact that the technological power for the 
honest parties has some limitations. In particular, Eve 



uses the multi-photon pulses for acquiring information 
on the sent bit without introducing any error. Neverthe- 
less, the present protocol must be also analyzed under 
the presence of errors, even at the single-photon level. 
It may happen that a small amount of error would al- 
low Eve to gain a large amount of information making 
the protocol unpractical. Indeed, these are the attacks 
Eve would apply at very short distances, where she can- 
not block almost any pulse and almost all the non-empty 
pulses reaching Bob contain just one photon. 

The optimal individual eavesdropping strategy for this 
protocol is unknown. Nevertheless, note that the quan- 
tum structure is the same as for the BB84 scheme, so 
it seems natural to consider its robustness against at- 
tacks using asymmetric phase covariant cloning machines 
[29,30]. These machines, that are briefly described in ap- 
pendix C, clone in an optimal way all the states in the xy 
plane. Let us stress here that they provide the optimal 
eavesdropping for the BB84 protocol [31]. The action of 
these machines in the protocol is depicted in figure 6. 
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QBER 

FIG. 6. The figure shows Alice's and Bob's vs Eve's in- 
formation for individual attacks using the cloning machines 
introduced by Cerf and Niu and Griffiths. The curve for the 
standard BB84 scheme is included for comparison. 



Key distillation using privacy amplification is possible 
whenever Eq (2) is fulfilled. This means that the hon- 
est parties can tolerate an error up to ~ 15%, slightly 
larger than the 14.67% for the BB84. There arc two 
facts in these curves that deserve explanation. First, note 
that the Cerf cloning machine [29] is clearly more efficient 
from Eve's point of view than the Niu-Griffiths one [30] . 
Second, note the surprising decreasing behavior of Eve's 
information for large values of the QBER. Both of them 
are related to the quantum correlations introduced by 
each of the cloning machines between Eve and Bob, and 
the sifting procedure used in the described protocol. 
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Eve waits until the sifting process before doing 
her measurement. If, for instance, Alice announces 
\+x),\+y) and Bob accepts the symbol, Eve knows 
that Bob has successfully projected onto either | — x) or 
| —j/). Then, she modifies her quantum state accord- 
ing to this information. The fact that Bob has got a 
conclusive result (he could discriminate between the two 
non-orthogonal states) increases also the distinguishabil- 
ity on Eve's side because of the quantum correlations. 
On the one hand, this justifies why the Cerf cloning ma- 
chine is more efficient for eavesdropping. It establishes a 
stronger correlation between Eve and Bob, and this helps 
Eve after the sifting process. On the other hand, this 
also explains the decreasing behavior of Eve's informa- 
tion curves. For very large disturbances, the correlations 
between Eve and Bob decreased, and knowing that Bob 
has obtained a conclusive result does not help her too 
much. Thus, it is better to keep some quantum correla- 
tions with Bob, in such a way that his successful unam- 
biguous discrimination increases the distinguishability on 
Eve's side. In the limiting case of QBER = 0.5, Eve just 
takes the state sent by Alice and prepares at random one 
of the four possible states for Bob (or in equivalent terms, 
she forwards a completely noisy state). Her information 
is simply given by Eq. (22) as expected. 

D. PNS+cloning attacks 

The eavesdropping strategies analyzed up to now take 
advantage, either of the presence of multi-photon pulses 
(PNS attacks) or of the errors on Bob's side (cloning at- 
tacks). However for losses such that Eve can simulate 
the expected rate even if she blocks all the single-photon 
pulses, she can combine the two type of attacks, if she 
is allowed to introduce some errors. This basically cor- 
responds to distances d > 40 km (see figure 4). There, 
Eve counts the number of photons in the pulse and stops 
those having one photon. For all the two-photon pulses, 
she applies an asymmetric phase covariant 2-^3 cloning 
machine, and forwards one of the clones to Bob. This 
operation introduces errors, depending on the quality of 
Bob's clone. In general, for a pulse having n photons, 
she uses an n — > n + 1 cloning machine, although in this 
section we consider only the 2^3 case, since P2 is sig- 
nificantly larger than p% . As far as we know this type of 
attack has been never considered before. This may ex- 
plain why the expression for the phase covariant n — > m 
asymmetric cloning machine is unknown (at least to us). 
In appendix D we describe two unitary transformations 
generalizing, in a non-optimal way, the asymmetric 1 — ► 2 
cloning machines to the 2—^3 case (see also [32,33]). 

Eve counts the number of photons in the pulse. All the 
single-photon pulses are blocked, while for those pulses 
having two photons she applies one of the 2 — > 3 cloning 
machines shown in appendix D. In this case it is unclear 



which of the clone states she has to forward to Bob. It 
turns out that for small disturbances, such that Eve's 
information is smaller than Iab, there is almost no dif- 
ference between the two cases. Figure 7 shows the infor- 
mation Eve can get with this strategy as a function of the 
disturbance on Bob's side. We consider that Bob receives 
one of the two clones with the same fidelity, i.e. either the 
first or the second qubit of Eq. (55) or (56). Key distil- 
lation is possible using error correction and one-way pri- 
vacy amplification up to disturbances of approximately 
8.5%. 
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FIG. 7. The figure shows Alice's and Bob's vs Eve's infor- 
mation for attacks using the cloning machines described in 
appendix D. Upper curves correspond to the cloning machine 
of Eq. (55), which is more powerful from Eve's point of view. 



E. The Geneva-Lausanne experiment 

The four-state protocol is at the level of state prepara- 
tions and measurements, identical to the BB84 scheme. 
It only differs in the sifting process, less efficient in the 
absence of Eve by a factor of two on the raw key, but 
more robust against PNS attacks. Thus, all the existent 
experimental implementations of the BB84 protocol can 
be thought of as implementations of the new four-state 
protocol. 

Let us analyze the recent Geneva-Lausanne experiment 
[13], where a key was distributed over 67 km using the 
BB84 scheme. The mean photon number of the pulses 
used in this experiment was indeed 0.2 photons/pulse, 
so all our results directly apply. According to figure 
1, the protocol is not secure at this distance because of 
the PNS attack even for \i = 0.1 (and BB84 encoding). 
However this is not the case if one uses the new pro- 
tocol. The experimental QBER was approximately 5%, 
where 4% was due to dark counts on the detector and 
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1% due to optical imperfections. As said above, Eve is 
assumed to have only access to the optical error. Then 
Iab = /(0.05) ~ 0.71 bits, while I Eve (see figure 7) is 
clearly smaller than 0.5. Thus, Alice and Bob can safely 
distill a key. Note that even in the more restrictive sce- 
nario where Eve can take advantage of the full error (in- 
cluding the detector noise), her information is smaller 
than Iab and the protocol is secure. Therefore, the ex- 
isting implementation becomes secure just by changing 
the sifting process. 



IV. GENERALIZATION TO MORE SETS 

The detailed analysis of the four-state protocol has 
given us insight into the way of designing QKD protocols 
resistant to PNS attacks. The presence of multi-photon 
pulses is still a problem, since they open the possibility 
of unambiguous discrimination or storing attacks provid- 
ing Eve full or partial information. But there is a simple 
way of improving the robustness of the protocol: just 
adding more states for the encoding. A quite natural 
generalization of the previous protocol follows this idea 
and consists of adding more bases in a plane of the Bloch 
sphere for the encoding of the bit, as shown in figure 
8 for the case of four bases (eight states). On the one 
hand more photons (or copies of the unknown state) are 
needed for the unambiguous discrimination to be pos- 
sible. On the other hand the overlap between the two 
announced states decreases, which is also good against 
storing attacks. Nevertheless, the key rate decreases un- 
less we use a larger mean photon number, which increases 
the presence of multi-photon pulses, that are dangerous 
for the security. Thus, a compromise appears. The aim 
of this section is to explore this fact by analyzing the 
resistance of this generalized protocols against the two 
type of attacks mentioned above: PNS with unambigu- 
ous discrimination and storing attacks. 

Any protocol is uniquely defined by the number of 
bases rif, used for the bit encoding. We will not con- 
sider a very large number of bases, since the protocol 
would become impractical. In the previous sections we 
had rib = 2 while rib — 4 for the protocol in figure 8. If 
Alice wants to send a bit b, she chooses at random be- 
tween the rib states encoding b and sends it to Bob. Bob 
measures at random in any of the rib bases. Then, Al- 
ice announces the sent state plus, again randomly, one of 
the two neighboring states (encoding 1 — 6). Bob accepts 
the bit when (i) he has measured in one of the two bases 
associated to the two states announced by Alice and (ii) 
his measurement outcome is orthogonal to one of these 
states. Indeed, this allows him to discard one of the two 
possibilities and to infer b. Thus, Bob needs to choose the 
right measurement and obtain the right outcome, which 
happens with probability 



Pb = ± s in 2 (^-). (33) 
n b \2n b ) 

As usual, in order to make a fair comparison, we impose 
for any protocol that at very large distances (attenua- 
tions) the raw rate is the same as in the standard BB84 
with fi = 0.1. This implies that 

K n b) = = V7~^- (34) 

20 Pb 20 sin* (^) 

Note that for large rib, fi>(n>b) ~ n\. This means that the 
mean photon number becomes significant when rib in- 
creases and we are not longer dealing with weak pulses. 
Therefore, some of the approximations used above (see 
[19]) are not valid. 
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FIG. 8. Bit encoding in a protocol using four bases. 

Eve has now to discriminate between 2n& one-qubit 
states, and this can be done with certainty only when 
n e = 2rib — 1 copies of the unknown state are available 
(see [26] and appendix B). The maximum probability of 
success, p k, correspond to the maximum eigenvalue of 
the operator [27] 

^£l^><n 05) 

k— 

Here Ik 1 -) denotes the state in (C 2 )®J^ orthogonal to all 
\j)® n ", where j = 0, . . . , n e but j ^ k and 

We have numerically calculated these probabilities up to 
rib = 8 and they appear to be given by the formula 
Pok(n>b) = rib/A nh , although we do not have an ana- 
lytical proof. The critical attenuation 5\ (in dB) where 
the protocol ceases to be secure against this attack has 
to be such that Eve can simulate the expected rate by 
the number of pulses containing at least n e photons and 
giving a conclusive result. This leads to 

5>(«> MMlO- 5l/10 )(l ~ (1 - VdetT) = 

Pok(n b ) J2 Km,M(n 6 )Xl-(l-W m - ne+1) ). (37) 

m > n e 



n 



The corresponding curve is shown in figure 9. 
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FIG. 9. Critical distance for protocols using n b bases. Up- 
per curve is given by PNS attacks using unambiguous discrim- 
ination, while the lower curve corresponds to storing attacks, 
as explained in the text. Storing attacks are clearly more 
efficient from Eve's point of view. 



There are other attacks, exploiting the presence of 
multi-photon pulses, that provide Eve with partial in- 
formation without introducing errors. For instance, Eve 
can count the number of photons and keep n s , depend- 
ing on the channel attenuation, without being detected. 
She waits until the basis reconciliation and performs the 
measurement maximizing her information (see Eq. (22)). 
These attacks can be very dangerous as soon as we con- 
sider errors on the transmission. We assume that the 
main sources of errors are the detector noise, quantified 
by the probability p d of having a dark count, and the 
optical error QBER opt . The total QBER for a channel 
attenuation of 5 is approximately equal to 

QBER = ■ — — ^ — m-s/w + Q BER o P t , (38) 

since half of the dark counts produce a click in the 
wrong detector. Thus, for any distance one can com- 
pute the amount of errors and the corresponding Iab = 
I (QBER). If I Eve is larger than Iab, the protocol is not 
secure. For any n s , we can define a critical attenuation 
such that the honest parties cannot notice Eve's storing 
attack. This attenuation corresponds to the point where 

5>(n, mM10- 5 ("^ 10 )(1 - (1 - VdetT) = 

n>0 

£ P (m,p(n b ))(l-(l- Vdet Y m -^). (39) 

m>n s 

For intermediate attenuations (distances), Eve can in- 
terpolate between two attacks, as described above. In 



this way, we can compute the two curves Iab and lEve 
as a function of the distance. Figure 10 shows the ob- 
tained results, where we took r] de t = 0.1, p d = 10~ 5 and 
QBER pt = 1%- The point where Iab — Ievc provides 
the critical distance, S2 , for this type of attacks. In figure 
9 we plot both the Si and S2 as a function of n b . It is 
quite plausible that min(<5i, <52) gives a good estimation 
for S c , the critical distance associated to the unknown 
optimal attack. Thus, one can safely conclude that a key 
can be established using a reasonable number of bases up 
to distances of the order of 150 km [35]. 
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FIG. 10. Information curves as a function of the distance 
for protocols using rib = 2, . . . , 5 bases. Solid lines represent 
the information Alice-Bob: at large distances, the signal level 
is small compared to dark counts and the QBER becomes im- 
portant (see Eq. (38)). Dashed lines show Eve's information: 
at large distances, she can keep many photons without being 
detected, acquiring more information on the sent state. The 
point where the two curves cross defines the critical distance 
where the protocol is no longer secure. 



V. CONCLUSIONS 

Unconditional security of quantum cryptography relies 
on some experimental assumptions that are not achiev- 
able with present-day technology. Thus, in a more real- 
istic scenario, the honest parties have to deal with ap- 
proximated single-photon sources, noisy channels, inef- 
ficient detectors and so on, while no limitation on the 
eavesdropper technology should be assumed. This opens 
the possibility for alternative eavesdropping attacks, tak- 
ing advantage of Alice and Bob's technological imperfec- 
tions. Indeed, using as a reference the BB84 scheme with 
(i = 0.1, all the known protocols become insecure against 
PNS attacks for channel losses of the order of 13 dB. 
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In this article we show how to construct QKD protocols 
resistant against PNS attacks up to channel losses of 40 
dB. There are two possibilities for that: (i) to exploit the 
non-orthogonality of quantum states in a different way, 
as in the presented four-state protocol or (ii) to include 
a strong reference pulse that must be always detected 
by Bob. Both possibilities seem achievable with current 
technology. In the first case, already existent implemen- 
tations of the BB84 protocol [13] provide an experimen- 
tal demonstration of QKD secure against PNS attacks, 
when the alternative sifting process is applied. The sec- 
ond possibility shows a connection between discrete and 
continuous variables QKD schemes that deserves further 
investigation. 
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APPENDIX A 

In this appendix we show that the overlap between all 
the states in figure 3 cannot be decreased by the same 
quantum operation. Using the parametrization of Eq. 
(25), one can see that 



|0 6 ) =c\Q a )+c'\l a ) 
|l6>=C|0„)+c|l o ), 



(40) 



1 + cos 2 rt 1 
Pb = — • 

sin -q p a 



(44) 



(45) 



Their overlap is 

,,„/, i \ i 2cos?7 

i.e. the states in set b become less distinguishable. 



APPENDIX B 

In this appendix we will show that TV — 1 copies of TV 
one-qubit state are always linearly independent (see also 
[26]). Consider TV — 1 copies of TV — 1 general states of 
one qubit, \ipi) with i = 1, . . . , TV — 1. They belong to the 



symmetric subspace (C ) 



2^<g>(iV-l) 



of dimension TV. Our 



aim now is to add a new state and to see when this state 
can be written as a linear combination of the previous 
ones. In other terms, we want to find a state \iPn) € C 
such that the determinant of the TV x TV matrix 

(|^> 0(JV - 1) -"|^-i> 8(W - 1) |^> 0(W - 1) ) (46) 

is zero. Note that the norm of the state does not play 
any role, so we can write 



(47) 



where x is an unbounded complex number. Condition 
(46) then gives an TV — 1 degree polynomial equation on 
x. There are TV — 1 solutions, that correspond to the 
TV — 1 trivial cases \iPn) = for i = 1, . . . , TV — 1. 
Thus, TV — 1 copies of any TV different one-qubit state are 
always linearly independent. 



where 



COST] 

sin 77 



smr] 



(41) 



Now, consider a quantum operation, M, mapping with 
some probability p a the states in set a into some new 
states, |0„) and |1„), such that (0jjl' a ) = 0. This means 
that 



M\i a ) 



1 



K), 



(42) 



where i — 0,1. Because of the linearity of Quantum Me- 
chanics, the states in set b will be mapped into 



1 



|o;> = — (cK) + c'o 



\l' b ) = ^={c'K)+c\l' a )), 



(43) 



with probability 



APPENDIX C 

In this appendix we briefly describe the asymmetric 
phase covariant cloning machines introduced in [29,30]. 
These machine clone with maximal fidelity all the states 
that lie in the xy plane. At first sight, their only differ- 
ence is that the one in [29] uses as an input state a two- 
qubit reference state plus the state to be cloned, while 
for the second one qubit suffices as ancillary system. 

Consider an input state to be cloned, and a one-qubit 
ancillary system in a reference state, say |0). The Niu- 
Griffiths cloning machine [30] is defined by the following 
unitary transformation 



C/^ G |00) 12 = |00) 

^i2 G | 1 0)i2 = cos 7 |10) + sin 7 |01), 



(48) 



with < 7 < 7r/2. From the definition it is evident 
that this transformation does not affect in the same way 
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the two poles | ± z) of the Bloch sphere. Nevertheless, 
this is not the case for those state lying in the xy plane, 
i.e. \&) = (|0) + e^|l))/V2. The searched clones are 
the mixed local states resulting from tracing cither the 
first or the second qubit on the state resulting from the 
application of Eq. (48), 



Pt = tr 2 _i(njvGW), 



where i = 1,2 and Ung(-&) is the projector onto 
Ung\$)\0)- One can easily see that Vi? 

a 



pi = cos7|$)(^| + (1 — cos 7) ■ 



p 2 = shi7|i?)(tf| 



(l-sm 7 )-. 



(50) 



Then, the corresponding clone fidelities, defined as Fi = 
(i?|pi|i?), are (1 + cos7)/2 and (1 + sin7)/2. The larger 
the fidelity for the first clone, the smaller for the sec- 
ond. Equality is achieved when cos 7 = sin 7, and then 
F 1 =F 2 = (l + l/V2)/2. 

The second type of cloning machine we consider are 
those introduced in [29]. There, two qubits are used as 
the ancillary system, and the unitary transformation is, 
for any input state £ C , 

U?M\0Q) = F \rl>)\*+) + (1 - F)a z \i,)\$-) + 

VF(l-F) (a x \iP)\*+)+ia y \iP)\*-)), (51) 



where 



|$ ± ) = - 7 =(|00)±|11)) 



V2 



(|oi>±|io» 



(52) 



define the standard Bell basis. It is not difficult to see 
that the local state in the first two qubits is the same as 
in Eq. (49), if one takes F = (1 + cos 7 )/2. 

Eve can use these transformations in order to obtain 
some information about the sent bit. She clones the state 
sent by Alice, and she forwards the first clone to Bob 
and keeps the second. Obviously there is a compromise 
between the quality of the two clones: the better Eve's 
clone the worse Bob's state. Or in other words, the more 
the information intercepted by Eve, the more the errors 
on Bob's side, that allow the honest parties to detect 
Eve's intervention. As seen above, the two machines are 
in many senses equivalent (especially as far as for the 
cloning fidelities are concerned). However the two at- 
tacks differ in the amount of correlations Eve establishes 
with Bob. This fact is going to be very important for the 
type of protocols analyzed in this work. 



cloning machines to the 2^3 case. The complete de- 
scription of these machines will be given elsewhere [32] . 

The first machine is mainly inspired by Niu-Griffiths 
construction. The initial input state corresponds to two 
copies of an unknown one-qubit state, l^)® 2 €E ((D ® 
<D )sym- Using a two-dimensional ancillary system, say 



(49) in state |0), one can define the unitary operation 



E/£ G |00>|0> = 1 000) 



^3 G |^ + )|0) = 



cos7(|010) + |100>) + sin7|001) 
\Jl+ cos 2 7 



^ Gr)r _co S 7|110)+sin7(l011) + il01)) ^ 



sin 2 7 



As in the 1^2 case, this machine has not the same 
effect on the states |0) and |1). After some lengthy al- 
gebra one can see that all the states in the xy plane 
are cloned with the same fidelity. The local state of each 
of the three qubits is a combination of the identity with 
the initial pure state as expected, the fidelities being (see 
also figure 11) 



NG 



F 2 NG = 



1 



+ 



cos 7 



1 



pNG 



2 2 v /3 + cos(2 7 ) V 17 - cos(4 7 ) 
sin 7 sin(27) 



2 2 v / 3 + cos(27) ^17- cos(4 7 ) 



(54) 



Note that when 7 = tt/4, F^ g = F£* G = (6 + 2\/2 + 
VE)/12 <~ 0.94, slightly larger than the fidelity of the 
2^3 universal symmetric cloning of [34]. It has to be 
stressed that the fidelity for the third clone never reaches 
the value of one, contrary to what happens for the 1 — > 2 
case. As we learnt from the analysis of the individual 
attacks, in the type of protocols we analyze it is more 
convenient for Eve to introduce an extra ancillary sys- 
tem in such a way that she is better correlated to Bob's 
result. This can be done introducing an ancillary sys- 
tem on Eve's side, such that the action on the states of 
the computational basis is symmetrized. Note that in 
the 1 — > 2 case this procedure allows to pass from the 
Niu-Griffiths to the Cerf cloning machine. The resulting 
machine can be expressed as, 



ttNGs 1 
u 23 



s)\00) = (l^ G | S >|0))|0) + (tf 2 T»|0»|l>, (55) 



JVGi 



APPENDIX D 

In this appendix we give two different unitary transfor- 
mations that somehow generalizes the 1 — > 2 asymmetric 



where |s) = |00), |<f>+), |11) and U^ has the same form 
as 1/2%° but interchanging zeros and ones. The cloning 
fidelities are again equal to Eq. (54). 
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Fidelity for the first two clones 
FIG. 11. Cloning fidelities for the 2^3 cloning machines 
defined by Eqs. (53) (solid line) and (56) (dashed line). The 
circles correspond to the points where the cloning fidelities 
are equal. 



The second machine we consider is based on the Cerf 
construction [29]. As an input state we have two qubits 
of an unknown one-qubit state plus a two-qubit ancillary 
system. Then, we define the following unitary operation, 

U?M® 2 \00) = v\^f 2 \^+) + x{a z \^>-) + 

a^n^+^H*-)), (56) 
where, for k = x,y, z, 

& k = ok <g> 1 + 1 <g> <7fc, (57) 

and v 2 + 8x 2 = 1 . One can see that for any input state 
in the Bloch sphere, the local state of the first two qubits 
are two identical clones with fidelity Ff = F% = 1 — 2x 2 , 
while in the third qubit we have another clone with fi- 
delity F 3 C = 1 - (v - 3x) 2 /2. Thus, the machine (56) is 
an asymmetric universal cloning machine, i.e. not phase 
covariant. Indeed, at the point where the three fidelities 
are equal, we recover the 2 — > 3 cloning fidelity of [34] 
Ff = F^ = 11/12 (see also figure 11). Note also that in 
this case, Ff can be equal to one. Moreover, there are 
some points where, for a given fidelity for the first two 
clones, the fidelity for the third one is larger using this 
cloning machine than for the phase covariant machine of 
Eq. (53). This shows that the latter is not the optimal 
phase covariant asymmetric 2 — > 3 cloning machine. One 
is tempted to generalize Cerf construction in a direct way, 
defining a phase covariant machine by changing the co- 
efficient of one of the error terms in (56). However, the 
resulting operation is not unitary [32]. Therefore, we can 
only propose two possible asymmetric phase covariant 
machines, although we know that they are not optimal. 
Nevertheless, it is quite reasonable to suppose that the 
increase on Eve's information will not be very significant 
when using the, at present unknown, optimal one [33]. 
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